[21376] in bugtraq
Re: poprelayd and sendmail relay authentication problem (Cobalt
daemon@ATHENA.MIT.EDU (Ram'on Reyes Carri'on)
Fri Jul 6 14:35:14 2001
Date: Fri, 6 Jul 2001 09:54:01 -0500 (CDT)
From: "Ram'on Reyes Carri'on" <ramon@cimat.mx>
To: bugtraq@securityfocus.com
Message-ID: <Pine.SOL.4.21.0107060949040.20706-100000@fractal.cimat.mx>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi!
Yes it is true! It works, with a small change in the example to match the
string in my script (I had to customize it initially).
A quick workaround that I have just applied is to make sure that the
string does not contain /sendmail/ so it cannot be injected into syslog
via sendmail (may be injected some other way!).
Hope this helps while, a better solution is suggested.
Regards,
Ramon.
On Tue, 3 Jul 2001, Andrea Barisani wrote:
> Hi to all,
>
[...]
>
> The syslog string searched by the script is in this form for the qpop
> server
>
> /POP login by user \"[\-\_\w]+\" at \(.+\) ([0-9]\.]+)/)
>
> On some cobalt raq3 servers (with the poprelayd add-on packet installed )
> and in general on any system running the poprelayd script with sendmail is
> possible to "inject" this string in the syslog using sendmail logging. So
> anyone can insert a fake string with his own IP wich will be parsed by
> poprelayd and that will permit the use of sendmail as a relay.
>
[...]
-----------------------------------------------------------------------------
CIMAT Ramon Reyes Carrion
Apdo. Postal 402 e-mail:ramon@cimat.mx
36000 Guanajuato, Gto. Tel (52) (473) 27155 Ext 49571
MEXICO Fax (52) (473) 25749.
http://www.cimat.mx/
